URL completion font too small, wrong order, big security risk

RESOLVED WONTFIX

Status

()

Firefox
Address Bar
RESOLVED WONTFIX
a year ago
a year ago

People

(Reporter: Josh, Unassigned)

Tracking

(Blocks: 1 bug)

48 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxsearch])

Attachments

(2 attachments)

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:42.0) Gecko/20100101 Firefox/42.0

Steps to reproduce:

Put the cursor in the address bar.

Type some text in order to bring up auto-completion list. (search suggestions are disabled)

Firefox 48 on Ubuntu 14.04 (Unity).


Actual results:

The HTML title element text is shown first, and the URLs are now second,

The URL fonts are too small to read easily and they should come before the titles. Also, the color is a dim orange on Ubuntu 14.04, making it even more difficult to read.

This is a security hazard for users, because previously-visited malicious sites could use the title element to trick users into thinking that they are visiting a different site (based on title text rather than unique URL). Users won't double-check the URL after seeing the title text.

Example:
Attacker could get a user to click on a page about cute kittens that quietly has the title "PayPal - Send Money, Pay Online or Set Up a Merchant Account - PayPal" (even more like PayPal than the real site because the word PayPal comes first). Then the next time the user types "paypal" in the address bar, the title on the funny cats site comes up, showing "PayPal..." as the auto completion. The user visits the funny cats site thinking that it's PayPal, and in the meantime the attacker has switched the content from funny cats to a PayPal-looking login page. Phishing attack complete.

PayPal is just an example. This kind of address bar could very easily be used to get people to download malicious software instead.

If you don't understand the attack from my explanation, let me know and I will make a video demonstration on how it can be performed,

In any case, it's also bad from a usability standpoint, since I can't read the URLs, and my stress level is going up when using Firefox, because I have to double-check every URL and the fonts are too small and faint to see clearly,


Expected results:

Ideally, the URL should come first -- both for usability and safety. At the very minimum, there should be a way to override the settings so that the URL comes first, It's extremely difficult to scan the URLs because the edge of the text zigzags and the URL font is too small and in the wrong color, I've checked about:config and don't see how to override it. I've checked the web extensions API and don't see how to override it with an extension either.

Comment 1

a year ago
(In reply to Josh from comment #0)
> This is a security hazard for users, because previously-visited malicious
> sites could use the title element to trick users into thinking that they are
> visiting a different site (based on title text rather than unique URL).
> Users won't double-check the URL after seeing the title text.
> 
> Example:
> Attacker could get a user to click on a page about cute kittens that quietly
> has the title "PayPal - Send Money, Pay Online or Set Up a Merchant Account
> - PayPal" (even more like PayPal than the real site because the word PayPal
> comes first). Then the next time the user types "paypal" in the address bar,
> the title on the funny cats site comes up, showing "PayPal..." as the auto
> completion. The user visits the funny cats site thinking that it's PayPal,
> and in the meantime the attacker has switched the content from funny cats to
> a PayPal-looking login page. Phishing attack complete.

I don't understand why this is worse than just showing the phishing attack immediately. If you managed to get the user to a page the first time, and you're saying they don't read the URL in the location bar, why bother to rely on the title the second time (and also, don't you think the "Paypal" title will look weird above the kittens the first time)?

Note also that the change in visual design did not change the order in which results appear, and so if anything the exact same attack was possible before. I'm also not convinced that the font size of the URL was any different before vs. after the changes - it certainly doesn't look that way on Windows, though it is of course possible that there is some kind of subtle bug that has reduced the size on Linux. Have you compared the two versions on Ubuntu and their respective font sizes?
Blocks: 1262507
Group: firefox-core-security
Component: Untriaged → Location Bar
Flags: needinfo?(hostelmarketing)
(Reporter)

Comment 2

a year ago
I've created a sample walkthrough with screenshots. I'll upload it right after I post this comment.

The problem is that page titles can be faked very easily, while URLs are more difficult.

Also, regarding usability:
Using Firefox really slows me down now, because I have to check each URL to be sure that I'm going to the correct page -- for example: am I going to the website that I want? The Slack channel? The Github repo? The subreddit? The titles are too similar for me to tell without laboriously trying to read the URLs on the far right side of the screen. It would be very easy to manipulate this to send non-alert users to the wrong place.

My screenshots also show the font size and color problems with the URLs.
(Reporter)

Comment 3

a year ago
Actually, first I should ask: will the attachment be visible to the public? It explains how to do a phishing attack on people who use Firefox, so I want to be sure before I upload it.

Comment 4

a year ago
(In reply to Josh from comment #3)
> Actually, first I should ask: will the attachment be visible to the public?

Yes. I can make them private after you upload them.

> It explains how to do a phishing attack on people who use Firefox, so I want
> to be sure before I upload it.

If all you're doing is showing screenshots that follow the steps in comment #0 then it's not clear to me how that changes how much you're explaining how to execute a phishing attack, so I don't think the screenshots need to be private.

If that makes a difference: just to show the problem of readability, I don't think you  need to "explain how to do a phishing attack on people who use Firefox" - all you need is a screenshot of what the text looks like on your machine.


Really, in order for this to be a sensible bugreport there needs to be:
a) compelling evidence that making people re-visit a site that is a phishing site is somehow "more convincing" than making them visit it the first time and phishing them immediately - phishing depends on there being as few manual steps as possible for the user to complete, because every additional step risks users not completing the "funnel", much like in "normal" e-commerce. Adding the "later, look for paypal" step adds steps, so it's not clear how that improves the chance of the phish succeeding.

AND

b) compelling evidence that the new awesomebar popup layout made a material difference here, which I asked for before and you have not answered. Your argument that the list of URLs is harder to scan is unrelated to phishing, and AIUI the font size and colour is the same as before, so it's not clear to me why you believe the new look is worse from a phishing/security perspective.
(Reporter)

Comment 5

a year ago
> a) compelling evidence that making people re-visit a site that is a phishing site is somehow "more convincing" than making them visit it the first time and phishing them immediately - phishing depends on there being as few manual steps as possible for the user to complete, because every additional step risks users not completing the "funnel", much like in "normal" e-commerce. Adding the "later, look for paypal" step adds steps, so it's not clear how that improves the chance of the phish succeeding.

It's very easy to trick non-savvy users this way. When I'm using Firefox 48, now I have to double check each URL, because titles are easily faked. It's less easy to perform this kind of phishing with URLs.

> b) compelling evidence that the new awesomebar popup layout made a material difference here, which I asked for before and you have not answered. Your argument that the list of URLs is harder to scan is unrelated to phishing, and AIUI the font size and colour is the same as before, so it's not clear to me why you believe the new look is worse from a phishing/security perspective.

My answer is in the PDF document that was already finished when I wrote my comment, so I didn't write it out again here.

The order makes a huge difference. Phishing works by catching users off guard. If the user types "paypal" (for example) into the address bar and the browser *suggests* the site as the PayPal that they've always visited, they don't stop to read all the way to the end to see that it isn't the correct site. If it's difficult for me to read the URLs now (an advanced Firefox user with technical background and high attention to detail) then many non-savvy users won't see it.

I've written up an entire sequence of how the attack can work from start to finish and it would most definitely work against a larger percentage of users than if the URL comes first.

Also, it seems like a bad idea to make this issue public before fully understanding it.

I will upload one of the screenshots. The way to inject the fake title into the browser is very easy to do with non-savvy users. Even if they know that it's a bad site the first time they visit it, the URL will still be stored in their history, but there are also ways to inject it there without them suspecting anything.
(Reporter)

Comment 6

a year ago
Created attachment 8780725 [details]
See Firefox's suggestion on what site to visit. Users won't read to the end.

See my comments on the main thread.
(Reporter)

Comment 7

a year ago
Created attachment 8780727 [details]
Example phishing page.

Users don't read URLs if the browser has already confirmed the destination. They found what they want, and the site looks as expected.
(Reporter)

Comment 8

a year ago
The easiest way to inject the fake title is to get users to visit a page and then do this while they are watching a cat video.

`document.getElementsByTagName('title')[0].text = 'PayPal Login -- Send Money, Pay Online or Set Up a Merchant Account'`
(Reporter)

Comment 9

a year ago
If you want a live demo, I will create a webpage that you can visit.

Comment 10

a year ago
(In reply to Josh from comment #5)
> Also, it seems like a bad idea to make this issue public before fully
> understanding it.

I think we simply have different understandings of the issue, but I accept that I am a fallible human being, so I'll ask for a second opinion. Dan?

(In reply to Josh from comment #7)
> Users don't read URLs if the browser has already confirmed the destination.
> They found what they want, and the site looks as expected.

Sure - but if you're on the web already, a link that says it goes to paypal.com that really goes to some-evil-site.com has exactly the same problem (the tooltips with URLs that browsers show when you hover a link can be fooled with some sprinklings of javascript and onmousedown, which you can see in action on (for example) google results pages). First linking them to a page with cats that you then hope will show up in the location bar autocomplete based on the title is much more convoluted and less likely to succeed. This is especially true if people have visited paypal before (implied by "the site looks as expected") which will mean (real) paypal pages will be suggested before the once-visited cats-phishing-to-paypal page, because the hostname matches the real site as well and it has a higher number of visits and might be bookmarked, and is more likely to be https.
Flags: needinfo?(hostelmarketing) → needinfo?(dveditz)
We don't need to hide this bug. At heart it's a usability issue and opinions differ. I don't personally find the URLs "too small", but I'm sympathetic to josh because I hate having to scan a variable distance on each line to find them. For me (but not others, I understand) the vertical space reclaimed by the 1-line layout isn't worth it. My screen resolution is good enough that I don't often get truncation, but sometimes important bits of the URL get obscured and there's no hovertext or other way to read the full URL.

On reflection I guess I do appreciate more vertical space for results because changes to the frecency algorithm have made the results much less likely to be what I want without digging further into the list. Haven't put my finger on what the change is, but the result I want is almost never first and in the past the first result was the right result quite often.
Flags: needinfo?(dveditz)
We discussed this at the team meeting today with Stephen and the consensus was that since there is no security issue here, this works as expected. The smaller font for the URL is used because URLs tend to be long and they are secondary information for end users.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
Whiteboard: [fxsearch]
(Reporter)

Comment 13

a year ago
> changes to the frecency algorithm have made the results much less likely to be what I want without digging further into the list.

The previous auto-completion functionality there was perfect. I used it in my arguments for why people should use Firefox. Now it is a drag on productivity and increases cognitive load. It also seems to lag before showing results. There doesn't seem to be a way to fix it in about:config.

> We discussed this at the team meeting today with Stephen and the consensus was that since there is no security issue here, this works as expected. The smaller font for the URL is used because URLs tend to be long and they are secondary information for end users.

I will post blog post with a working demonstration of why it's a security hazard (and usability problem). It might take me a couple of days before I have time to finish it though.
(Reporter)

Comment 14

a year ago
I've created a working example that would trick most non-savvy Internet users. I'll post a link here to a rough version as soon as I can get it uploaded with some text that explains it. If that page doesn't convince you, then I'll polish up the example and include a detailed blog post. I think the example will clearly demonstrate that training users to look at titles without checking URLs enables very easy phishing and malware attacks.
You need to log in before you can comment on or make changes to this bug.